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Failure is Not an Option 

An Exceptional Type Theory 


Pierre-Marie Pedrot 1 and Nicolas Tabareau 2 

1 Max Planck Institute 
2 Inria, France 


Abstract. We define the exceptional translation , a syntactic translation 
of the Calculus of Inductive Constructions (CIC) into itself, that covers 
full dependent elimination. The new resulting type theory features call- 
by-name exceptions with decidable type-checking and canonicity, but 
at the price of inconsistency. Then, noticing parametricity amounts to 
Kreisel’s realizability in this setting, we provide an additional layer on 
top of the exceptional translation in order to tame exceptions and ensure 
that all exceptions used locally are caught, leading to the parametric ex¬ 
ceptional translation which fully preserves consistency. This way, we can 
consistently extend the logical expressivity of CIC with independence of 
premises, Markov’s rule, and the negation of function extensionality while 
retaining ^-expansion. As a byproduct, we also show that Markov’s prin¬ 
ciple is not provable in CIC. Both translations have been implemented 
in a Coq plugin, which we use to formalize the examples. 


1 Introduction 

Monadic translations constitute a canonical way to add effects to pure functional 
languages [T] . Until recently, this technique was not available for type theories 
such as CIC because of complex interactions with dependency. In a recent pa¬ 
per [2], we have presented a generic way to extend the monadic translation to 
dependent types, using the weaning translation, as soon as the monad under con¬ 
sideration satisfies a crucial property: being self-algebraic. Indeed, in the same 
way that the universe of types is itself a type (of a higher universe) in type 
theory, the type of algebras of a monad T 


EA : □*. T A-t A 


needs to be itself an algebra of the monad to allow a correct translation of the 
universe. However, in general, the weaning translation does not interpret all of 
CIC because dependent elimination needs to be restricted to linear predicates, 
that is, those that are intuitively call-by-value [3]. In this paper, we study the 
particular case of the error monad, and show that its weaning translation can 
be simplified and tweaked so that full dependent elimination is valid. 


This exceptional translation gives rise to a novel extension of CIC with new 
computational behaviours, namely call-by-name exceptions^] That is, the type 
theory induced by the exceptional translation features new operations to raise 
and catch exceptions. This new logical expressivity comes at a cost, as the re¬ 
sulting theory is not consistent anymore, although still being computationally 
relevant. This means that it is possible to prove a contradiction, but, thanks to 
a weak form of canonicity, only because of an unhandled exception. Furthemore, 
the translation allows us to reason directly in CIC on terms of the exceptional 
theory, letting us prove e.g. that, assuming some properties on its input, an 
exceptional function actually never raises an exception. We thus have a sound 
logical framework to prove safety properties about impure dependently-typed 
programs. 

We then push this technique further by noticing that parametricity provides 
a systematic way to describe that a term is not allowed to produce uncaught 
exceptions, bridging the gap between Kreisel’s modified realizability [3] and para¬ 
metricity [5] inside type theory. This parametric exceptional translation ensures 
that all exceptions used locally are caught, thus ensuring consistency of the re¬ 
sulting theory. We exploit this computational extension of CIC to show various 
logical results over CIC. 

Contributions. 

— We describe the exceptional translation , the first monadic translation for the 
error monad for CIC, including strong elimation of inductive types, resulting 
in a sound logical framework to reason about impure dependently-typed 
programs. 

— We use parametricity to extend the exceptional translation, getting a con¬ 
sistent variant dubbed the parametric exceptional translation. 

— We show that Markov’s rule is admissible in CIC and more generally, that 
classical logic is conservative over the type-theoretic version of III! formulae. 

— We show that definitional ^-expansion together with the negation of function 
extensionality is admissible in CIC. 

— We show that there exists a syntactical model of CIC that validates the 
independence of premises (which is known to be generally not valid in in- 
tuitionistic logic M) and use it to recover the recent result of Coquand and 
Mannaa |7], i.e., that Markov’s principle is not provable in CIC. 

— We provide a COQ plugiij^jthat implements both translations and with which 
we have formalized all the examples. 

Plan of the paper. In Section [2] we describe the exceptional translation and the 
resulting new computational principles arising from it. In Section [3] we present 
the parametric variant of the exceptional translation. Section[4]is devoted to the 

3 The fact that the resulting exception are call-by-name is explained in detailed in (2] 
using a call-by-push-value decomposition. Intuitively, it comes from the fact that 
CIC is naturally call-by-name. 

4 The plugin is available at https://github.com/CoqHott/exceptional-tt 
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A, B, M, N ::= Di \ x \ M N \ Xx : A. M \ Ux : A. B 


r, A ::= 

hr i < j 

r h Pi : □ j 

r h A : Pi r,x : Ah B :Dj 
T h Tlx : A. B : P max (ij) 

T,x : Ah M : B n-ni:AB:D 

r h Xx : A. M : ILe : A. B 

r h A : P 

h ■ hr ,x:A 

(Xx : A.M) N = M{x := N} 


r h M : B r h A : □ 

V,x : Ah M ■. B 

r h M : B ThA:P A = B 
T h M : A 

Th M -.Hx : A.B V h N ■. A 
r h M N : B{x := N} 

T h A : Pi 
T,x: Ah x: A 

(congruence rules ommitted) 


Fig. 1 . Typing rules of CCP 


various logical results resulting from the parametric exceptional translations. In 
Section [5] we discuss possible extensions of the translation with negative records 
and an impredicative universe. Section[6]describes the COQ plugin and illustrates 
its use on a concrete example. We discuss related work in Section [7] and conclude 
in Section [8] 

2 The Exceptional Translation 

We define in this section the exceptional translation as a syntactic translation 
between type theories. We call the target theory T, upon which we will make 
various assumptions depending on the objects we want to translate. 

2.1 Adding Exceptions to CC U 

In this section, we describe the exceptional translation over a purely negative 
theory, i.e., featuring only universes and dependent functions, called CC^, which 
is presented in Figure |T] This theory is a predicative version of the Calculus 
of Constructions |S], with an infinite hierarchy of universes □; instead of one 
impredicative sort. We assume from now on that T contains at least CC W itself. 

The exceptional translation is a simplification of the weaning translation [5] 
applied to the error monad. Owing to the fact that it is specifically tailored for 
exceptions, this allows to give a more compact presentation of it. 

Let E : Do be a fixed type of exceptions in T. The weaning translation for 
the error monad amounts to interpret types as algebras, i.e., as inhabitants of 
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the dependent sum S A : (A + E) —► A. In this paper, we take advantage of 
the fact that the algebra morphism restricted to A is always the identity. Thus 
every type just comes with a way to interpret failure on this type, i.e. types 
are intuitively interpreted as a pair of an A : Q; with a default (raise) function 
A 0 : E —>• A. In practice, it is slightly more complicated as the universe of types 
itself is a type, so its interpretation must comes with a default function. We 
overcome this issue by assuming a term type,;, representing types that can raise 
exceptions. This type comes with two constructors: TypeVal, which allows to 
construct a type^ from a type and a default function on this type ; and another 
constructor TypeErr^ that represents the default function at the level of type.^. 
Furthermore, type^ is equipped with an eliminator type_elim ( - and thus can be 
thought of as an inductive definition. For simplicity, we axiomatize it instead of 
requiring inductive types in the target of the translation. 

Definition 1. We assume thatT features the data below, where i,j indices stand 
for universe polymorphism. 

— flj : E -»■ □, 

— u)i : lie : E. fij e 

— type^ : Q,-, where i < j 

— TypeVal,- : IL4 : □$. (E —> A) —> type^ 

— TypeErrv : E -> type,, 

— type_ elim, ■ : IIP : type ); —> Dp 

(II(A : Qj) (A 0 : E —> A). P (TypeVal,,- A A 0 )) —> 

(lie : E. P (TypeErr, e)) —> IIP : type,. P T 

subject to the following definitional equations: 

type_elim ( J - P p v p 0 (TypeVal^ A A 0 ) = p v A A 0 
type_elim i j - P p v p 0 (TypeErr ; e) = p 0 e 

The term describes what it means for a type to fail, i.e. it ascribes a 
meaning to sequents of the form r h M : fail e. In practice, it is irrelevant and 
can be chosen to be degenerate, e.g. := A_ : E. unit. 

In what follows, we often leave the universe indices implicit although they 
can be retrieved at the cost of more explicit annotations. 

Before defining the exceptional translation we need to derive a term Elj^that 
recovers the underlying type from an inhabitant of type and Err that lifts the 
default function to this underlying type. 

Definition 2. From the data of Definition [TJ we derive the following terms. 

El i ■■ type 4 -> 

:= XA : type ; . type_elim (AT : type.^.Q,;) 

{\{A o :U i ){A 0 :E^AoMo) fi A 
Err* : IIA : type^.E —> El,; A 

\= A(A : typej (e : E).type_elim El; 

_ (A(Ao : Eli) (A 0 : E —>• Ao). A 0 e) uj A 

5 The notation El refers to universes a la Tarski in Martin-Lof type theory. 
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pi] := TypeVal type, TypeErr, 

[x] := x 

[A* : AM] := Ax : [Aj. [M} 

[M N] := [M] [N] 

[Ar : A. B] := TypeVal (ILc : [AJ. [B]) (A(e : E) (x : [A]). [B] 0 e) 
[A ] 0 := Err [A] 

[A] := El [A] 

H 

[r ,x:A] :=[r|,x:[A] 

Fig. 2. Exceptional Translation 


The exceptional translation is defined in Figure [2j As usual for syntactic 
translations [5], the term translation is given by [■] and the type translation, 
written [•], is derived from it using the function El. There is an additional 
macro [-] 0 , defined using Err,, which corresponds to the way to inhabit a given 
type from an exception. 

Note that we will often slightly abuse the translation and use the [•] and [•] 
notation as macros acting on the target theory. This is merely for readability 
purposes, and the corresponding uses are easily expanded to the actual term. 

The following lemma makes explicit how [•] and ]-] 0 behave on universes and 
on the dependent function space. 

Lemma 1 (Unfoldings). The following definitional equations hold: 

- Pi] = type, 

- \nx:A.B]=Hx:[AUB] 

- pj] 0 e = TypeErr i e 

- [ITr : A. B] 0 e = Xx : [A], [B\ 0 e 

Proof. By unfolding and straightforward reductions. 

The soundness of the translation follows from the following properties, which 
are fundamental but straightforward to prove. 

Theorem 1 (Soundness). The following properties hold. 

— [M{x := N }] = [M]{x := [iV] } (substitution lemma). 

— If M = N then [ M ] = [N] (conversion lemma). 

— IfT\~M:A then [T] h [M\ : [A] (typing soundness). 

— IfT b A : □ then [T] b [A] 0 : E —> [A] (exception soundness). 

Proof. The first property is by routine induction on M, the second is direct 
by induction on the conversion derivation. The third is by induction on the 
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typing derivation, the most important rule being : Dj, which holds because 
[□.;] = TypeVal type^ TypeErr^ has type type^ which is convertible to [□_,-] by 
Lemma [T] The last property is a direct application of typing soundness and 
unfolding of Lemma [T] for universes. 

We call 7e the theory arising from this interpretation, which is formally 
defined in a way similar to standard categorical constructions over dependent 
type theory. Terms and contexts of 7 e are simply terms and contexts of T. A 
context T is valid is 7e whenever its translation [T] is valid in T. Two terms 
M and N are convertible in 7e whenever their translations \M] and [TV] are 
convertible in T. Finally, T \-j- R M : A whenever [T] by- [M] : [A]. 

That is, the only way to extend 7e is to add a new constant c of a given 
type A and to provide an inhabitant ce of the translated type [A]. Then the 
translation is extended with [c] := eg. The potential computational rules satis¬ 
fied by this new constant are directly given by the computational rules satisfied 
by its translation. In some sense, the new constant c is just syntactic sugar for 
ce- Using 7e, Theorem^ can be rephrased in the following way. 

Theorem 2. IfT interprets CC W then so does 7e, that is, the exceptional trans¬ 
lation is a syntactic model of CC W . 


2.2 Exceptional Inductive Types 

The fact that the only effect we consider is raising exceptions does not really 
affect the negative fragment when compared to our previous work |2], but it 
sure shines when it comes to interpreting inductive datatypes. Indeed, as ex¬ 
plained in the introduction, the weaning translation only interprets a subset of 
CIC, restricting dependent elimination to linear predicates. Furthermore, it also 
requires a few syntactic properties of the underlying monad ensuring that pos¬ 
itivity criteria are preserved through the translation, which can be sometimes 
hard to obtain. 

The exceptional translation diverges from the weaning translation precisely 
on inductives types. It allows a more compact translation of the latter, while at 
the same time providing a complete interpretation of CIC, that is, including full 
dependent elimination. 

From now on, we assume that the target theory is a predicative restriction 
of CIC, i.e. that we can construct in it new inductive datatypes as we do in 
e.g. COQ [TUJ, but without considering an impredicative universe. That is, all 
the inductive types we consider in this section live in □. As a matter of fact, 
we slightly abuse the usual nomenclature and simply call CIC this predicative 
fragment in the remainder of the paper. We refrain from describing the generic 
typing rules that extend CC W into CIC, as they are fairly standard and would 
take up too much space. See for instance Werner’s thesis for a comprehensive 
presentation EH- 
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[X\ := A(pi : [Pi]) ■ ■ ■ (Pn : [Pn]) (ti : [A]) . . . (i m : [An])- 

TypeVal (I* pi ... p„ i\ ... i m ) (X 0 pi ... p„ ii ... i m ) 

[ci] := ci 
[cfc] := 4 


Fig. 3. Inductive Type Translation 


Type and Constructor Translation As explained before, the intuitive inter¬ 
pretation of a type through the exceptional translation is a pair of a type and a 
default function from exceptions into that type. In particular, when translating 
some inductive type X, we must come up with a type [X] together with a default 
function E —» [X]. As soon as E is inhabited, that means that we need [X] to be 
inhabited, preferably in a canonical way. The solution is simple: just as for types 
where we freely added the exceptional case by means of the TypeErr constructor, 
we freely add exceptions to every inductive type. 

In practice, there is an elegant and simple way to do this. It just consists 
in translating constructors pointwise, while adding a new dedicated constructor 
standing for the exceptional case. We now turn to the formal construction. 

Definition 3. Let X be an inductive datatype with 

— parameters p\ : Pi...., p n : P n ; 

— indices i\ : p,..., i m : I m ; 

— constructors 

Ci : 11(014 ’ ^l,l) ■ ■ ■ ( a Ui : Aifo).! pi ... p n Vi t i .. ■ Vl,m 

Cfc • n(a M . A.f^i) . . . (cik,Lk • -di pi . . . p n Vfci . . . Vk,m 

We define the exceptional translation of X and its constructors in Figure [5[ 
where X* is the inductive type defined by 

— parameters pi : [Pi], ...,p n ■ [Pn]; 

— indices ii : [P], ...,i m - [7m]; 

— constructors 

c* : n(ai 4 : [^ 1 , 1 ]) ■ ■ ■ ( a i,ii : [Ai^Jj.X* pi ... p n [Vip] ... [Vi im ] 

■ ^( 0^4 : [A^p]).. . (ofcy fc : [A^^ fc ]).X pi ... p n [V^p] . .. 

X 0 : n(P : [Ji]) ... (i m : [7 m ]). E - 5 > X* pi ... p n ii ... i m 

where in the recursive calls in the various A, we locally set 

\1 Mi ... M n Ni ... 7V m ] := X* [Mi] ... [M n ] [W] • • • [7V m ], 

Example 1. We give a few representative examples of the inductive translation 
in Figure [4] in a COQ-like syntax. They were chosen because they are simple 
instances of inductive types featuring parameters, indices and recursion in an 
orthogonal way. For convenience, we write E A (\x : A. B) as T,x : A. B. 
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Ind bool : □ : = 

| true : bool 
| false : bool 

Ind list [A : □) : □ := 
nil : list A 

| cons : A —> list A —» list A 

Ind E (A : □) (B : A -)■ □) : □ := 

| ex : II(a; ■. A) (y : B x ). E A B 

Ind eq {A : □) (a; : A) : A —> □ := 
| ref 1 : eq A x x 


Ind bool* : □ := 
true* : bool* 

| false* : bool* 

| bool,3 : E —> bool* 

Ind list* (A : [□]) : □ := 
nil* : list* A 

cons* : [A] —» list* A —¥ list* A 
lista : E —¥ list* A 

Ind E* (A : [□]) (B : [A] -»■□): □ := 
| ex* : n(x : [A]) (3, : \B *]). E* A B 
| E0 : E —> list* A 

Ind eq* (A : [□]) (x : [A]) : [AJ -> □ 
refl* : eq* A x x 
eq 0 : By : {Aj.E -> eq ‘ Ax y 


Fig. 4. Examples of Translations of Inductive Types 


Remark 1. The fact the we locally override the translation for recursive calls 
on the [•] translation of the type being defined means that we cannot handle 
cases where the translation of the type of a constructor actually contains an 
instance of [I]. Because of the syntactic positivity criterion, the only possibility 
for such a situation to occur in CIC is in the so-called nested inductive definitions. 
However, nested inductive types are essentially a programming convenience, as 
most nested types can be rewritten in an isomorphic way that is not nested. 

Lemma 2. If I is given as in Definition [?| we have for any terms M, N 

{1 Ah ... M n N, ... N m j = X* [Mi] ... [Mr] [JVr] ... [N m \. 

This justifies a posteriori the simplified local definition we used in the recur¬ 
sive calls of the translation of the constructors. 

Theorem 3. For any inductive type I not using nested inductive types, the 
translation from Definition^] is well-typed and satisfies the positivity criterion. 

Proof. Preservation of typing is a consequence of Theorem [T] The restriction 
on nested types, which is slightly stronger than the usual positivity criterion of 
CIC, is due to the fact that X 0 is not available in the recursive calls and thus 
cannot be used to build a term of type type via the TypeVal constructor. 

Preservation of the positivity criterion is straightforward, as the shape of 
every constructor Cfc is preserved, and furthermore by Lemma ^ the structure of 
every argument type is preserved by [•] as well. The only additional constructor 
X 0 does not mention the recursive type and is thus automatically positive. 

Corollary 1. Type soundness holds for the translation of inductive types and 
their constructors. 






Pattern-Matching Translation We now turn to the translation of the elim¬ 
ination of inductive terms, that is, pattern matching. Once again, its definition 
originates from the fact that we are working with call-by-name exceptions. It 
is well-known that in call-by-name, pattern matching implements a delimited 
form of call-by-value, by forcing its scrutinee before proceeding, at least up to 
the head constructor. Therefore, as soon as the matched term (re-)raises an ex¬ 
ception, the whole pattern-matching reraises the same exception. A little care 
has to be taken in order to accomodate for the fact that the return type of the 
pattern-matching depends on the scrutinee, in particular when it is the default 
constructor of the inductive type. 

In what follows, we use the i± ... i n notation for clarity, but compact it to i 
for space reason—when appropriate. 

Definition 4. Assume an inductive I as given in Definition [5[ Let Q be the 
well-typed pattern-matching defined as 

match M return A(zi : 1 1 ) . . . ( i m : 7 m ) (x : X X\ . . . X n i\ . . . i m )• R with 
ci ai,i .. . ai } i 1 => Ni 

| Ck a k , 1 • • • dk,i k => Nk 

end 

where - - -> r 

Tb X-.P FhY : I{p:=X} Tf M:lli ... X n Yi ... Y m 
T, i : I{p:= X}, x :X X i\- R: □ T b Q : R{i := Y,x := M} 

T, 01 : Ai b Ai : R{i := Vi{p := A}, x := ci X ai} 

T, a k : A k b N k ■■ A{? := V k {p := X}, x := c k X a k } 
then we pose [Q] to be the following pattern-matching. 

match [M] return A(ii : [Ji]). ..(im - [7m]) (x : X [Ai] . . . [A„] ii ... im). [7?] with 
| cl ai,i ... ai : i 1 => [Ai] 

I c k Ufc.i ... a k ,i k [Afe] 

| X@ i i ... im e [77]^[A .— X@ Ai ... X n i\ ... im c} e 

end 

Lemma 3. With notations and typing assumptions from Definition [^j we have 
[T]b[Q] :[!?]{?:= \Y],x := [M]}. 

Proof. Mostly a consequence of Theorem [T] applied to all of the premises of the 
pattern-matching rule. The only thing we have to check specifically is that the 
branch for the default constructor I 0 is well-typed as 

[T],z : I{p := X}, e : E b [R] 0 {x :=1 0 X i e} e : [i?]{a; :=X 0 X i e} 
which is also due to Theorem [T] applied to R. 
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Lemma 4. The translation preserves i-rules. 

Proof. Immediate, as the translation preserves the structure of the patterns. 

The translation is also applicable to fixpoints, but for the sake of readability 
we do not want to fully spell it out, although it is simply defined by congruence 
(commutation with the syntax). As such, it trivially preserves typing and reduc¬ 
tion rules. Note that the COQ plugin presented in Section [6] features a complete 
translation of inductive types, pattern-matching and fixpoints. So the interested 
reader may experiment with the plugin to see how fixpoints are translated. 

Therefore, by summarizing all of the previous properties, we have the follow¬ 
ing result. 

Theorem 4. If P interprets CIC, then so does 7e, and thus the exceptional 
translation is a syntactic model of CIC. 

2.3 Flirting with Inconsistency 

It is now time to point at the elephant in the room. The exceptional translation 
has a lot of nice properties, but it has one grave defect. 

Theorem 5. 7/E is inhabited, then Tk is logically inconsistent. 

Proof. The empty type is translated as 

Ind empty* : □ := empty 0 : E — > empty* 

which is inhabited as soon as E is. 

Note that when E is empty, the situation is hardly better, as the translation 
is essentially the identity. However, when T satisfies canonicity, the situation is 
not totally desperate as 7 e enjoys the following weaker canonicity lemma. 

Lemma 5 (Exceptional Canonicity). Let T be an inductive type with con¬ 
structors Ci, ..., c n and assume that T satisfies canonicity. The translation 
of any closed term \-j- E M : T evaluates either to a constructor of the form 
c* Ni ... Ni t or to the default constructor I & e for some e : E. 

Proof. Direct application of Theorem [l] and canonicity of T. 

A direct consequence of Lemma [5] is that any proof of the empty type is 
an exception. As we will see in Section |4~T| for some types it is also possible to 
dynamically check whether a term of this type is a correct proof, in the sense that 
it does not raise an uncaught exception. This means that while 7 e is logically 
unsound, it is computationally relevant and can still be used as a dependently- 
typed programming language with exceptions , a shift into a realm where we would 
have called the weaker canonicity Lemma [5] a progress lemma. 

This is not the end of the story, though. Recall that 7 e only exists through 
its embedding [•] into T. In particular, if T is consistent, this means that one 
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can reason about terms of 7 e directly in T. For instance, it is possible to prove 
in T that assuming some properties about its input, a function in 7 e never raises 
an exception. Hence not only do we have an effectul programming language, but 
we also have a sound logical framework allowing to transparently prove safety 
properties about impure programs. 

It is actually even better than that. We will show in Section [3] that safety 
properties can be derived automatically for pure programs, allowing to recover 
a consistent type theory as long as T is consistent itself. 

2.4 Living in an Exceptional World 

We describe here what 7i feels like in direct style. The exceptional theory feature 
a new type E which reifies the underlying type E of exceptions in 7 e ■ It uses the 
fact that for E, the default function (here of type E —> E) can simply be defined 
as the identity function. Its translation is given by 

[E] : [□] := TypeVal E (Ae : E. e). 

Then, it is possible to define in 7 e a function raise : HA : □. E — > A that 
raises the provided exception at any type as 

[raise] := A(A : type) (e : E). Err A e. 

As we have already mentioned, the reader should be aware that the exceptions 
arising from this translation are call-by-name. This means that they do not 
behave like their usual call-by-value counterpart. In particular, we have in 7 e 

raise (nx : A. B) e = Xx : A. raise B e 

which means that exceptions cannot be caught on n-types. We can catch them 
on universes and inductive types though, because in those cases they are freely 
added through an extra constructor which one can pattern-match on. For in¬ 
stance, there exists in 7 e a term 

catch boo i : nP : bool —> □. P true —► P false —>■ 

(ne : E. P (raise bool e)) — > nfr : bool. P b 


defined by 


[catchbooi] := A P ptPf p E b. match b return Xb. El (P b) with 

| true* => p t 
| false* => pf 
| bool 0 e =4- p e e 

end 

satisfying the expected reduction rules on all three cases. 

In Section [6] we illustrate the use of the exceptional theory using the COQ 
plugin to define a simple cast framework as in |12j . 
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[□4 := \A : pi], [A] -»■ □ , 

Me : = 

[A* : M] e := A(® : [A]) (® e : [A] £ at). [M] e 
[M N] e := [Af] e [AT] [JV] e 

[ILr : A. B] s := A(/ : 11* : [A], [BJ). n(x : [AJ) (*. : [A] e ®). [S] e (/ *) 

Me := Me 

He 

[r ,x : A] e := [r] e ,a: : [A],Ke : [A] £ x 

Fig. 5. Parametricity over Exceptional Translation 


3 Kreisel Meets Martin-Lof 

It is well-known that Reynolds’ parametricity m and Kreisel’s modified realiz¬ 
ability [J are two instances of the broader logical relation techniques. Usually, 
parametricity is used to derive theorems for free, while realizability constrains 
programs. In a surprising turn of events, we use Bernardy’s variant of para¬ 
metricity on CIC [Sj as a realizability trick to evict undesirable behaviours of 
7e- This leads to the parametric exceptional translation, which can be seen as 
the embodiment of Kreisel’s realizability in type theory. In this section, we first 
present this translation on the negative fragment, then extend it to CIC and 
finally discuss its meta-theoretical properties. 


3.1 Exceptional Parametricity in a Negative World 

The exceptional parametricity translation for terms of CC U is defined in Figure[5] 
Intuitively, any type A in 7e is turned into a validity predicate A e : A —> □ which 
encodes the fact that an inhabitant of A is not allowed to generate unhandled 
exceptions. For instance, a function is valid if its application to a valid term 
produces a valid answer. It does not say anything about the application to invalid 
terms though, which amounts to a garbage in, garbage out policy. The translation 
then states that every pure term is automatically valid. 

This translation is exactly standard parametricity for type theory |5] but 
parametrized by the exceptional translation. This means that any occurrence of 
a term of the original theory used in the parametricity translation is replaced 
by its exceptional translation, using [■] or [•] depending on whether it is used as 
a term or as a type. For instance, the translation of an application [M TV]^ is 
given by [M] e [TV] [N] e instead of just [M] e N [iV] e . 

Lemma 6 (Substitution lemma). The translation satisfies the following con¬ 
version: [M{x := iV}] £ = [M] e {x := [iV],a: e := [IV] E }. 

Theorem 6 (Soundness). The two following properties hold. 
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— If M = N then [M] e = [iV] e . 

— If T\- M : A then [f] e h [M] e : [M\. 

Proof. By induction on the derivation. 

We can use this result to construct another syntactic model of CC W . Contrar- 
ily to usual syntactic models where sequents are straightforwarldy translated to 
sequents, this model is slightly more subtle as sequents are translated to pairs 
of sequents instead. This is similar to the usual parametricity translation. 

Definition 5. The theory Tff is defined by the following data. 

— Terms of Tff are pairs of terms of T. 

— Contexts of are pairs of contexts of T. 

— b j-p T whenever \-j- [T] and \~p |T] e . 

— M =Tf N whenever [M] = 7 - [N] and \M] e = 7 - [N] e . 

— T \-j-p M : A whenever [T] I- 7 - [M] : [A] and [T] e I- 7 - [M] e : [A] £ [M], 

Once again, Theorem [6] can be rephrased in terms of preservation of theories 
and syntactic models. 

Theorem 7. If T interprets CC W then so does 7^f. That is, the parametric 
exceptional translation is a syntactic model of CC W . 

This construction preserves definitional 77 -expansion, as functions are mapped 
to (slightly more complicated) functions. 

Lemma 7. If T satisfies definitional rj-expansion, then so does Tff ■ 

Proof. The first component of the translation preserves definitional 77 -expansion 
because functions are mapped to functions. It remains to show that 

[Az : A. M x] e := \{x : [T]) ( x e : [A] e *). [M] e x x e = [M] e 

which holds by applying 77 -expansion twice. 

It is interesting to remark that Bernardy-style unary parametricity also leads 
to a syntactic model T p that interprets CC W (as well as CIC), using the same 
kind of glueing construction. Nonetheless, this model is somewhat degenerated 
from the logical point of view. Namely it is a conservative extension of the target 
theory. Indeed, if T \-'f P M : A for some T, M and A from T, then there we also 
have T b- 7 - M : A, because the first component of the model is the identity, and 
the original sequent can be retrieved by the first projection. 

This is definitely not the case with the 7^ theory, because the first projection 
is not the identity. In particular, because of Theorem [5] every sequent in the first 
projection is inhabited, although it is not the case in T itself if it is consistent. 
This means that parametricity can actually bring an additional expressivity 
power when it applies to a theory which is not pure, as it is the case here. 
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Ind bool e : bool* —> □ := 

| true^ :bool £ true* 

| false e : bool £ false* 

Ind list £ (A : type) ( A e : [A] —> □) : list* A —> □ := 

| nil £ : lists A A e (nil* A) 

| conSs : II(a: : [A]) ( x e : A e x) ( l : list* A) ( l e : list e A A e l). 
lists A As (cons* A x l) 

Ind eq £ (A : type) (A e : [A] ->■ □) (x : [A]) (x E : A E x) : 

n (y : [A]) ( y e : As y). eq* A x y □ — 

| refls : refls A A e x x e x x e (refl* A x) 

Fig. 6. Examples of Parametric Translation of Inductive Types 


3.2 Exceptional Parametric Translation of CIC 

We now describe the parametricity translation of the positive fragment. The 
intuition is that as it stands for an exception, the default constructor is always 
invalid, while all other constructors are valid, assuming their arguments are. 


Type and Constructor Translation 

Definition 6. LetX be an inductive type as given in Definition [$| We define the 
exceptional parametricity translation I e of I as the inductive type defined by: 

- parameters {pi : Pi,... ,p n : P n j e ; 

- indices pi : h ,..., i m : / m ] e , x : I p± ... p n n ... i m ; 

- constructors 

Cle ■ n[«i : A*!^. 

Pe Pi Pie • • • Pn Pne [hl,l] [Vl,l] £ * • • [lA,m] [^L,m] e (^1 P fl-l) 

Cfcs ■ n|G& . 

-^e Pi Pie ■ ■ ■ Pn Pne [hfc,l] [Vfc,l] £ • • ■ [hfc,m] [h)c,m] e {pk P CLk) • 

and we extend the translation as 

P-] e • ~^e Pl] e • * Cke. 

Example 2. We give the exceptional parametric inductive translation of our run¬ 
ning examples in Figure [ 6 ] 

Note that contrarily to the negative case, the exceptional parametricity trans¬ 
lation on inductive types is not the same thing as the composition of Bernardy’s 
parametricity together with the exceptional translation. Indeed, the latter would 
also have produced a constructor for the default case from the exceptional in¬ 
ductive translation, whereas our goal is precisely to rule this case out via the 
additional realizability-like interpretation. 
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It is also very different from our previous parametric weaning translation [2], 
which relies on internal parametricity to recover dependent elimination, enforc¬ 
ing by construction that no effectful term exists. Here, effectful terms may be 
used in the first component, but they are required after the fact to have no 
inconsistent behaviour. Intuitively, parametric weaning produces one pure se¬ 
quent, while exceptional parametricity produces two, with the first one being 
potentially impure and the second one assuring the first one is harmless. 


Pattern-matching Translation 

Definition 7. Let Q be the pattern-matching defined in Definition [^J We pose 
[Q] e to be the pattern-matching 

match [M] e return A[i : f\ e (x : X [Xi] . . . [X„] *i . . . i m ). 

(x e : X E [Xi] [Xi] e ... [X n ] [X„] E h i le ... 'im ime 3?) 


with 



mi m 


| Cie 

Ol,l 

CL l,le • • 

• CLl,li 0*1,1 ie 

[Nil 

| C-ke 

fflfc, 1 

CLk ,le • 


[Nk], 


end 


where Q x is the following pattern-matching 

match x return A(ii : 1 1 ) . . . (im ■ Im) (x : X Xi . . . X n ii • ■ ■ im). R with 
| ci ai,i ... ai.q => Ni 


| Cfc Gtfc, 1 ■ • ■ IVfc 

end 


that is Q where the scrutinee has been turned into the index variable of the 
parametricity predicate. 

Lemma 8. With notations and typing assumptions from Definition ^ J we have 
[Tlh[Q} e :lR{i:=Y,x:=M}l [Q]. 


The exceptional parametricity translation can be extended to handle fix- 
points as well, with a few limitations. Translating generic fixpoints uniformly 
is indeed an open problem in standard parametricity, and our variant faces the 
same issue. In practice, standard recursors can be automatically translated, and 
fancy fixpoints may require hand-writing the parametricity proof. We do not 
describe the recursor translation here though, as it is essentially the same as 
standard parametricity. Again, the interested reader may test the COQ plugin 
exposed in Section [ 6 ] to see how recursors are translated. 

Packing everything together allows to state the following result. 

Theorem 8. If T interprets CIC, then so does , and thus the exceptional 
parametricity translation is a syntactic model of CIC. 
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3.3 Meta-Theoretical Properties of 

Being built as a syntactic model, 7^ inherits a lot of meta-theoretical properties 
of T. We list a few of interest below. 

Theorem 9. IfT is consistent, then so is . 

Proof. Assume b j-p Mo : empty for some Mq. Then by definition, there exists 
two terms M and M s such that \-j- M : empty* and by M e : empty r M. But 
empty^ has no constructor, and T is inconsistent. 

More generally, the same argument holds for any inductive type. 

Theorem 10. If T enjoys canonicity, then so does . 

Proof. The exceptional parametricity translation for inductive types has the 
same structure as the original type, so any normal form in can be mapped 
back to a normal form in T. 


4 Effectively Extending CIC 


The parametric exceptional translation allows to extend the logical expressivity 
of CIC in the following ways, which we develop in the remainder of this section. 

We show in Section pTT| that Markov’s rule is admissible in CIC. We already 
sketched this result in our previous paper [5], but we come back to it in more 
details. More generally, we show a form of conservativity of classical logic over 
the type-theoretic version of II!] formulae. 


In Section 4.2 we exhibit a syntactic model of CIC with satisfies definitional 
^-expansion for functions but which negates function extensionality. As far as 
we know, this was not known. 

Finally, in Section |4.3[ we show that there exists a model of CIC which 
validates the independence of premises. This is a new result, that shows that 
CIC can feature traces of classical reasoning while staying computational. We 
use this result in Section |4.4| to give an alternative proof of the recent result of 
Coquand and Mannaa [?] that Markov’s principle is not provable in CIC. 


4.1 Markov’s Rule 

We show in this section that CIC is closed under a generalized Markov’s rule. 
The technique used here is no more than a dependently-typed variant of Fried¬ 
man’s trick E3 ■ Indeed, Friedman’s A-translation amounts to add exceptions to 
intuitionistic logic, which is precisely what 7 e does for CIC. 

Definition 8 . A inductive type in CIC is said to be first-order if all the types 
of the arguments of its constructors, in its parameters and in its indices are 
recursively first-order. 
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Example 3. The empty, unit and N types are first-order. If P and Q are first- 
order then so is E p : P.Q, P + Q and eq P p 0 p-\. Consequently, the CIC 
equivalent of E° formulae are in particular first-order. 

First-order types enjoy uncommon properties, like the fact that they can be 
injected into effectful terms and purified away. This is then use to prove the 
generalized Markov’s Rule. 

Lemma 9. For every first-order type p : P b Q : □ where all P are first-order, 
there are retractions ip, lq and dp, Oq s.t.: 

p: P b lq : Q -> [Q]{p := ip p) 
p: P\- 6 q : lQ]{p := ip p\ -> Q + E. 

Proof. The i terms exist because effectful inductive types are a semantical su¬ 
perset of their pure equivalent, and the 9 terms are implemented by recursively 
forcing the corresponding impure inductive term. One relies on decidability of 
equality of first-order type to fix the indices. 

Theorem 11 (Generalized Markov’s Rule). For any first-order type P and 
first-order predicate Q over P, if bcic lip : P. ->-i ( Q p) then bcic lip : P.Q p. 

Proof. Let b M : lip : P. (Q p). By taking E:=Qp and apply the soundness 

theorem, one gets a proof 

p: P\-[M\:Hp: [P]. ([Q p] -» empty*) -> empty*. 

But empty* = E = Q p, so we can derive from [M\ a term M ** s.t. 

p : P b M i : Up : [P], ({Q p] -5> Q p + Q p) -t Q p. 

The proofterm we were looking for is thus no more than Ap : P. (ip p) 9q. 

4.2 Function Intensionality with 77 -expansion 

In a previous paper [5] , we already showed that there existed a syntactic model of 
CIC that allowed to internally disprove function extensionality. Yet, this model 
was clearly not preserving definitional 77 -expansion on functions, as it was adding 
additional structure to abstraction and application (namely a boolean). Thanks 
to our new model, we can now demonstrate that counterintuitively, it is possible 
to have a consistent type theory that enjoys definitional p-expansion while negat¬ 
ing internally function extensionality. In this section we suppose that E := unit, 
although any inhabited type of exceptions would work. 

By Lemma [7J we know that the parametric exceptional translation preserves 
definitional 77 -expansion. It is thus sufficient to find two functions that are ex¬ 
tensionality equal but intensionally distinct in the model. Let us consider to this 
end the unit —> unit functions 

idp := Xu : unit, u idp := Xu : unit. tt. 
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Theorem 12. The following sequents are derivable: 

\~j-p lilt : unit, idy u = idy u \~j-p idy = idy — > empty. 

Proof. The main difference between the two functions is that idy preserves 
exceptions while idy does not, which we exploit. 

The first sequent is provable in CIC by dependent elimination and thus is 
derivable in Tff by applying the soundness theorem. 

To prove the first component of the second sequent, we exhibit a property 
that discriminates [idjJ and [idy], which is, as explained, their evaluation on 
the term unit 0 tt. Showing then that this proof is parametric is equivalent to 
showing II(p : [idy = idy]) {p e '■ [idj_ = idy] e p). empty. But p e actually im¬ 
plies [idy] = [idy], which we just showed was absurd. 

4.3 Independence of Premise 

Independence of premise (IP) is a semi-classical principle from first-order logic 
whose CIC equivalent can be stated as follows. 

n(T : □) (B : N —> □). (-A £n : N. B n) -> En : N. ->A -A B n (IP) 

Although not derivable in intuitionistic logic, it is an admissible rule of HA. The 
standard proof of this property is to go through Kreisel’s modified realizability 
interpretation of HA [4j. In a nutshell, the interpretation goes as follows: by 
induction over a formula A, define a simple type r(A) of realizers of A together 
with a realizability predicate • lb A over t(A). Then show that whenever Pha A, 
there exists some simply-typed term t : t{A) s.t. t lb A. As the interpretation 
also implies that there is no t s.t. t lb _L, this gives a sound model of HA, which 
contains more than the latter. Most notably, there is for instance a term ip s.t. 

ip lb (-1 A —> 3n. B) -a 3n. ->A —> B 

for any A, B. Intriguingly, the computational content of ip did not seem to 
receive a fair treatment in the literature. To the best of our knowledge, it has 
never been explicitly stated that IP was realizable because of the following “bug” 
of Kreisel’s modified realizability. 

Lemma 10 (Kreisel’s bug). For every formula A, t(A ) is inhabited. In par¬ 
ticular, t(_L) := unit. 

We show that this is actually not a bug, but a hidden feature of Kreisel’s 
modified realizability, which secretly allows to encode exceptions in the realizers. 
To this end, we implement IP in by relying internally on paraproofs, i.e. 
terms raising exceptions, while ensuring these exceptions never escape outside 
of the locally unsafe boundary. The resulting 7 term has essentially the same 
computational content as its Kreisel’s realizability counterpart. In this section 
we suppose that E := unit, although assuming E to be inhabited is sufficient. 

To ease the understanding of the definition, we rely on effectful combinators 
that can be defined in 7e- 
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Definition 9. We define in 7e the following terms. 


fail : II A : □. A 


[fail] := AA : [□]. [A] 0 tt 


iss : IIA B. (E® : A. B) —» bool 
[iss] := A A Bp. match p with 


iSN : N —> bool 

[isjj] := fix isrj n := match n with 


| ex* => true* 
| E 0 _ => false* 


| 0* => true* 

| S* n => ispj n 
| N 0 _ =£■ false* 


end 


end 


It is worth insisting that these combinators are not necessarily parametric. 
While it can be shown that iss and is^ actually are, fail is luckily not. The 
iss and iSfi functions are used in order to check that a value is actually pure 
and does not contain exceptions. 

Definition 10. We define ip in 7e in direct style below, using the available 
combinators from Definition [5| and a bit of syntactic sugar. 


ip : IP 


ip := A (A : □) (B : N ->□)(/: ^A —>• En : N. B n). 
let p := f (fail (-iA)) in 
if iss N Bp then match p with 
| ex n b ==> if is^ n then ex _ _ n (A_ : -iA. b) 


else ex _ _ 0 (fail (-iA —¥ B 0)) 


end else ex _ _ 0 (fail (->A —> B 0)) 


The intuition behind this term is the following. Given / : ~^A —> E n : N. B n, 
we apply it to a dummy function which fails whenever it is used. Owing to the 
semantics of negation, we know in the parametricity layer that the only way 
for this application to return an exception is that / actually contained a proof 
of A and applied fail to it. Therefore, given a true proof of ~^A, we are in an 
inconsistent setting and thus we are able to do whatever pleases us. The issue 
is that we do not have access to such a proof yet, and we do have to provide 
a valid integer now. Therefore, we check whether / actually provided us with a 
valid pair containing a valid integer. If so, this is our answer, otherwise we stuff 
a dummy integer value and we postpone the contradiction. 

This is essentially the same realizer as the one from Kreisel’s modified re¬ 
alizability, except that we have a fancy type system for realizers. In particular, 
because we have dependent types, integers also exist in the logical layer, so that 
they need to be checked for exceptions as well. The only thing that remains to 
be proved is that ip also lives in 7~ff. 

Theorem 13. There is a proof of \-p [IP] [ip]. 

Proof. The proof is straightforward but tedious, so we do not give the full details. 
The file IPc. v of the companion COQ plugin contains an explicit proof. The 
essential properties that make it go through are the following. 
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— b r n(n : N*) {piP 2 ■ N e n).pi = p 2 

— b 7 - Iln : N*. [isjs(] n = true* o N e n 

— b r U(pq : [-u4]). |->A] e p ->• [-u4] e q 

Corollary 2 . We have \~j-p IP. 

4.4 Non-provability of Markov’s Principle 

From this result, one can get a very easy syntactic proof of the independence 
result of Markov’s principle from CIC. Markov’s principle is usually stated as 

IIP : N — > bool. - 1-1 ( T,n : N. P n = true) —> £n : N. P n = true (MP) 

An independence result was recently proved by Coquand and Mannaa by a 
semantic argument [7]. We leverage instead a property from realizability m 
that has been applied to type theory the other way around by Herbelin [16] . 

Lemma 11. If S is a computable theory containing CIC and enjoying canonic- 
ity, then one cannot have both b^ IP and b$ MP. 

Proof. By applying IP to MP, one easily obtains that 

bs IIP : N —> bool. £n : N. Ilm : N. P m = true —>• P n = true. 

Thus, for every closed P : N —> bool, by canonicity there exists a closed np : N 
s.t. bg Ilm :N.Pm = true —> P np = true. But then one can decide whether 
P holds for some n by just computing P np, so that we effectively obtained an 
oracle deciding the halting problem (which is expressible in CIC). 

Corollary 3. We have Vcic^ MI 5 and thus also l/cic MP- 

5 Possible extensions 

5.1 Negative Records 

Interestingly, the fact that the translation introduces effects has unintented con¬ 
sequences on a few properties of type theory that are often taken for granted. 
Namely, because type theory is pure, there is a widespread confusion amongst 
type theorists between positive tuples and negative records. 

— Positive tuples are defined as a one-constructor inductive type, introduced 
by this constructor and eliminated by pattern-matching. They do not (and 
in general cannot, for typing reasons) satisfy definitional 77 -laws, also known 
as surjective pairing. 

— Negative records are defined as a record type, introduced by primitive pack¬ 
ing and eliminated by projections. They naturally obey the definitional 77 - 
law. 
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A, B, M, N . \ hx : A. B \ (M, N) | M.tti | M.tt 2 

n-i:D, r, x : A h B : Dj r h M : : A. B T b M : k,x : A. B 

T h Szx : A. B : F h M.tti : A T h M.n 2 : B{x := M.ni} 

ri -M:A T,x:A\-B:D F h N : B{x := M} 

F h (M, N) :&x: A. B 

(M.tti, M.7r 2 ) = M {M,N).tti = M (M,N).n 2 = N 

Fig. 7. Negative pairs 

[&x : AS] := TypeVal (fez : [A]. [B]) (Ae : E. ([^] 0 e, [B} 0 {x := [A} 0 e} e)) 
[(M, JV)] :=([M],[iV]> 

[M.7Tl] := [M].7Tl 

[M.7T2] := [M].7T2 

Fig. 8. Exceptional Translation of Negative Pairs 


In the remainder of this section, we wil focus on the specific case of pairs, but the 
same arguments are generalizable to arbitrary records. Positive pairs T,x : A. B 
are defined by the inductive type from Figure [4j Negative pairs &,x : A. B are 
defined as a primitive structure in Figure [7] We use the ampersand notation as 
a reference to linear logic. 

In CIC, it is possible to show that negative and positive pairs are proposition- 
ally isomorphic, because positive pairs enjoy dependent elimination. Nonetheless, 
it is a well-known fact in the programming folklore that in a call-by-name lan¬ 
guage with effects, the two are sharply distincts. For instance, in presence of 
exceptions, assuming b M : T,x : A. B , one does not have in general 

M = ex A B (fst A B M ) (snd A B M ) 

where fst and snd are defined by pattern-matching. Indeed, if M is itself an ex¬ 
ception, the two sides can be discriminated by a pattern-matching. Matching on 
the left-hand side results in immediate reraising of the exception, while matching 
on the right-hand side succeeds as long as the arguments of the constructor are 
not forced. Forcefully equating those two terms would then result in a trivial 
equational theory. 

Such a phenomenon is at work in the exceptional translation. It is actually 
possible to interpret negative pairs through the translation, but in a way that 
significantly differs from the translation of positive pairs. In this section, we 
assume that T contains negative pairs. 
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Definition 11. The translation of negative pairs is given in Figure [#[ 

It is straightforward to check that the definitions of Figure [8] preserve the 
conversion and typing rules from Figure [7] The same translation can be extended 
to any record. We thus have the following theorem. 

Theorem 14. If T has negative records, then so has 7e. 

It is enlightening to look at the difference between negative and positive pairs 
through the translation, because now we have effects that allow to separate them 
clearly. Indeed, compare 

\kx\A.B\ = kx\[Al.[B\ with [Err : A. B] “ E + Ea; : {A}. [B]. 

Clearly, if E is inhabited, then the two types do not even have the same cardi¬ 
nal, assuming A and B are finite. Furthermore, their default inhabitant is not 
the same at all. It is defined pointwise for negative pairs, while it is a special 
constructor for positive ones. Finally, there is obviously not any chance that 
[Ea; : A. BJ satisfies definitional surjective pairing in vanilla CIC, as it has two 
constructors. The trick is that the two types are externally distinguishable, but 
are not internally so, because 7 e is a model of CIC + & and thus proves that 
they are propositionally isomorphic. 

It is possible to equip negative pairs with a parametricity relation defined 
as a primitive record which is the pointwise parametricity relation of each field, 
which naturally preserve typing and conversion rules. 

Theorem 15. If T has negative records, then so has ■ 


5.2 Impredicative Universe 


All the systems we have considered so far are predicative. It is nonetheless pos¬ 
sible to implement an impredicative universe * in 7 e if T features one. We only 
allude to the construction here, a detailed account can be found in the Appendix. 

Intuitively, it is sufficient to ask for an inductive type prop living in Qj 
for all i, which is defined just as type, except that its constructor PropVal 
corresponding to TypeVal contains elements of * rather than □. Then one can 
similarly define El* and Err* acting on prop rather than type. One then slightly 
tweaks the [•] macro from Figure [2] by defining it instead as 




El* [A] if A:* 

El [A] otherwise 


and similarly for type constructors. With this modified translation, one obtains 
a soundness theorem for CC W . 


Theorem 16. The exceptional translation is a syntactic model of CC W + *. 

Likewise, the inductive translation is amenable to interpret an impredicative 
universe, with one major restriction though. 
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Theorem 17. The exceptional translation is a syntactic model of CIC + * with¬ 
out the singleton elimination rule. 

Indeed, the addition of the default constructor disrupts the singleton elimi¬ 
nation criterion for all inductive types. Actually, this criterion is very fragile, and 
even if 7i satisfied it, Keller and Lasson showed that the parametricity trans¬ 
lation could not interpret inductive types in * for similar reasons m , and 7g 
would face the same issue. 


6 The Exceptional Translation in Practice 

6.1 Implementation as a Coq Plugin 

The (parametric) exceptional translation is a translation of CIC into itself, which 
means that we can directly implement it as a COQ plugin. This way, we can 
use the translation to extend safely COQ with new logical principles, so that 
typechecking remains decidable. 

Such a COQ plugin is simply a program that, given a COQ proof term M, 
produces the translations [M\ and [M] as COQ terms. For instance, the transla¬ 
tions of type list, given in Figures[4]and [6j are obtained by typing the following 
commands, which define each one new inductive type in COQ. 

Effect Translate list. 

Parametricity Translate list. 

The first command produces only [list], while the second produces [list] . But 
the main interest of the translation is that we can exhibit new constructors. For 
instance, the raise operation described in Section [2~l| is defined as 

Effect Definition Exception : Type := fun E => TypeVal E E id. 

Effect Definition raise : V A, Exception —> A fun E (A : type E) =>■ Err A. 

6.2 Usecase: A Cast Framework 

We can use the ability to raise exception to define partial function in the ex¬ 
ceptional layer. For instance, given a decidable property (described by the type 
class below), it is then possible to define a cast function from A to E (a : A). P a 
returning the converted value if the property is satisfied and raising an exception 
otherwise (using an inhabitant cast_failed of Exception). 

Class Decidable (A : Type) := dec : A + (not A). 

Definition cast A (P : A —> Type) (a:A) (Hdec : Decidable (P a)} : S (a : A). P a 
:= match dec (P a) with 
I ini P => (a ; p) 

| inr _ =>• raise cast_failed 
end. 
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Using this cast mechanism, it is easy to definition a function list_to_pair 
from lists to pairs by first converting the list into a list size two, using the 
impure function cast (list A) (fun 1 => List.length 1 = 2) and then recovering a 
pair from a list of size two using a pure function. 

In the exceptional layer, it is possible to prove the following property 

Definition list_to_pair_prop A (x y : A) : list_to_pair [x ; y] — (x,y). 

in at least two way. One can perfectly prove it by simply raising an exception 
at top level, or by reflexivity—using the fact that list_to_pair [x ; y] actually 
reduces to (x,y). 

However, there is a way to distinguish between those two proofs in the target 
theory, here COQ, by stating the following lemma which can only proven for the 
proof not raising an exception. 

Definition list_to_pair_prop_soundness A x y : 

list_to_pair_prop* A x y = eq_refl*_:= eq_refl _. 

where underscores represent arguments inferred by COQ. 

7 Related Work 

Adding dependency to an effectful language. There are numerous works on adding 
dependent types in mainstream effectful programming languages. They all mostly 
focused on how to appropriately restrict effectful terms from appearing in types. 
Indeed, if types only depend on pure terms, the problem of having two differ¬ 
ent evaluations of the effect of the term (at the level of types and at the level of 
terms) disappear. This is the case for instance for Dependent ML of Xi and Pfen¬ 
ning [18] , or more recently for Casinghino et al. US] on how to combine proofs 
and programs when programs can be non-terminating. The F* programming 
language of Swamy et al. [ZQ] uses a notion of primitive effects including state, 
exceptions, divergence and 10. Each effects is described through a monadic pred¬ 
icate transformer semantics which allows to have a pure core dependent language 
to reason on those effects. On a more foundational side, there are two recent and 
overlapping lines of work on the description of a dependent call-by-push-value 
(CBPV) by Ahman et al. [Zlj and Vakar |22| . Those works also use a purity 
restriction for dependency, but using the CBPV language, deals with any effect 
described in monadic style. On another line of work, Brady advocates for the 
use of algebraic effects as an elegant way to allow combing effects more smoothly 
than with a monadic approach and gives an implementation in Idris (ZSj- 

Adding Effects to a dependently-t.yped language. Nanevski et al. [24] have devel¬ 
oped Hoare type theory (HTT) to extend COQ with monadic style effects. To 
this end, they provide an axiomatic extension of COQ with a monad in which 
to encapsulate imperative code. Important tools have been developed on HTT, 
most notably the Ynot project [25] , Apart from being axiomatic, their monadic 
approach does not allow to mix effectful programs and dependency but is rather 
made for proving inside COQ properties on simply typed imperative programs. 
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Internal translation of type theory. A non-axiomatic way to extend type theory 
with new features is to use internal translation, that is translation of type theory 
into itself as advocated for by Boulier et al. [5]. The presentation of parametricity 
for type theory given by Bernardy and Lasson [5j can be seen as one of the first 
internal translation of type theory. However, this one does not add any new 
power to type theory as it is a conservative extension. Barthe et al. |2S3 have 
described a CPS translation for CC^ featuring call-cc, but without dealing 
with inductive types and relying on a form of type stratification. A variant of 
this translation has been extended recently by Bowman et al. m to dependent 
sums using answer-type polymorphism na : □. (A —>■ a) —> a. A generic class of 
internal translation has been defined by Jaber et al. [25] using forcing, which can 
be seen as a type theoretic version of the presheaf construction used in categorical 
logic. This class of translation works on all CIC but for a restricted version of 
dependent elimination, identical to the Baclofen type theory [2]. Therefore, to the 
best of our knowledge, the exceptional translation is the first complete internal 
translation of CIC adding a particular notion of effect. 

8 Conclusion and Future Work 

In this paper, we have defined the exceptional translation, the first syntactic 
translation of the Calculus of Inductive Constructions into itself, adding ef¬ 
fects and that covers full dependent elimination. This result in a new type the¬ 
ory, which features call-by-name exceptions with decidable type-checking and a 
weaker form of canonicity. We have shown that although the resulting theory 
is inconsistent, it is possible to reason on exceptional programs and show that 
some of them actually never raise an exception by relying on the target theory. 
This provides a sound logical framework allowing to transparently prove safety 
properties about impure dependently-typed programs. Then, using parametric¬ 
ity, we have given an additional layer at the top of the exceptional translation 
in order to tame exceptions and preserves consistency. This way, we have consis¬ 
tently extended the logical expressivity of CIC with independence of premises, 
Markov’s rule, and the negation of function extensionality while retaining 77 - 
expansion. Both translations have been implemented in a COQ plugin, which we 
use to formalize the examples. 

One of the main direction of future work is to investigate whether other kind 
of effects can give rise to an internal translation of CIC. To that end, it seems 
promising to look at algebraic presentation of effects. Indeed, the recent work on 
the non-necessity of the value restriction policy for algebraic effects and handlers 
of Kammar and Pretnar [29| suggests that we should be able to perform similar 
translations on CIC with full dependent elimination for other algebraic effects 
and handlers than exceptions. 


25 


References 


1. Moggi, E.: Notions of computation and monads. Information and Computation 
93(1) (July 1991) 55-92 

2. Pedrot, P., Tabareau, N.: An effectful way to eliminate addiction to dependence. 
In: 32nd Annual Symposium on Logic in Computer Science, LICS 2017, Reykjavik, 
Iceland, June 20-23, 2017. (2017) 1-12 

3. Munch-Maccagnoni, G.: Models of a Non-Associative Composition. In Muscholl, 
A., ed.: 17th International Conference on Foundations of Software Science and 
Computation Structures. Volume 8412., Grenoble, France, Springer (April 2014) 
396-410 

4. Kreisel, G.: Interpretation of analysis by means of constructive functionals of finite 
types. In Heyting, A., ed.: Constructivity in Mathematics. Amsterdam: Nortli- 
Holland Pub. Co. (1959) 101-128 

5. Bernardy, J.P., Lasson, M.: Realizability and parametricity in pure type systems. 
In: Foundations of Software Science and Computational Structures. Volume 6604., 
Saarbriicken, Germany (March 2011) 108-122 

6. Avigad, J., Feferman, S.: Godel’s functional ("Dialectica") interpretation. In: The 
Handbook of Proof Theory. North-Holland (1999) 337-405 

7. Coquand, T., Mannaa, B.: The independence of Markov’s principle in type the¬ 
ory. In: 1st International Conference on Formal Structures for Computation and 
Deduction, FSCD 2016, June 22-26, 2016, Porto, Portugal. (2016) 17:1 17:18 

8. Coquand, T., Huet, G.P.: The Calculus of Constructions. Inf. Comput. 76(2/3) 
(1988) 95-120 

9. Boulier, S., Pedrot, P., Tabareau, N.: The next 700 syntactical models of type the¬ 
ory. In: Proceedings of the 6th ACM SIGPLAN Conference on Certified Programs 
and Proofs, CPP 2017, Paris, France, January 16-17, 2017. (2017) 182-194 

10. The Coq Development Team: The Coq proof assistant reference manual (2017) 

11. Werner, B.: Une Theorie des Constructions Inductives. PhD thesis, Universite 
Paris-Diderot - Paris VII (May 1994) 

12. Tanter, E., Tabareau, N.: Gradual certified programming in Coq. In: Proceedings 
of the 11th ACM Dynamic Languages Symposium (DLS 2015), Pittsburgh, PA, 
USA, ACM Press (October 2015) 26-40 

13. Reynolds, J.C.: Types, abstraction and parametric polymorphism. In: IFIP 
Congress. (1983) 513-523 

14. Friedman, H. In: Classically and intuitionistically provably recursive functions. 
Springer Berlin Heidelberg, Berlin, Heidelberg (1978) 21-27 

15. Troelstra, A., ed.: Metamathematical Investigation of Intuitionistic Arithmetic and 
Analysis. Lecture Notes in Mathematics. Springer (1973) 

16. Hcrbelin, H.: An intuitionistic logic that proves Markov’s principle. In: Proceedings 
of the 25th Annual Symposium on Logic in Computer Science, LICS 2010, 11-14 
July 2010, Edinburgh, United Kingdom. (2010) 50-56 

17. Keller, C., Lasson, M.: Parametricity in an impredicative sort. In: Computer 
Science Logic (CSL’12) - 26th International Workshop/21st Annual Conference of 
the EACSL, CSL 2012, September 3-6, 2012, Fontainebleau, France. (2012) 381- 
395 

18. Xi, H., Pfenning, F.: Dependent types in practical programming. In: Proceedings 
of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming 
Languages. POPL ’99, New York, NY, USA, ACM (1999) 214-227 


26 



19. Casinghino, C., Sjoberg, V., Weirich, S.: Combining proofs and programs in a 
dependently typed language. In: Proceedings of the 41st ACM SIGPLAN-SIGACT 
Symposium on Principles of Programming Languages. POPL ’14, New York, NY, 
USA, ACM (2014) 33-45 

20. Swamy, N., Hri^cu, C., Keller, C., Rastogi, A., Delignat-Lavaud, A., Forest, S., 
Bhargavan, K., Fournet, C., Strub, P.Y., Kohlweiss, M., Zinzindohoue, J.K., 
Zanella-Beguelin, S.: Dependent types and multi-monadic effects in F*. In: 43nd 
ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages 
(POPL), ACM (January 2016) 256-270 

21. Aliman, D., Ghani, N., Plotkin, G.D.: Dependent types and fibred computational 
effects. In: 19th International Conference on Foundations of Software Science and 
Computation Structures, Eindhoven, The Netherlands, Springer Berlin Heidelberg 
(2016) 36-54 

22. Vakar, M.: A framework for dependent types and effects (2015) draft. 

23. Brady, E.: Idris, a general-purpose dependently typed programming language: 
Design and implementation. Journal of Functional Programming 23(05) (2013) 
552-593 

24. Nanevski, A., Morrisett, G., Birkedal, L.: Hoare type theory, polymorphism and 
separation. Journal of Functional Programming 18(5-6) (2008) 865-911 

25. Chlipala, A., Malecha, G., Morrisett, G., Shinnar, A., Wisnesky, R.: Effective 
interactive proofs for higher-order imperative programs. In: Proceedings of the 
14th ACM SIGPLAN International Conference on Functional Programming. ICFP 
’09, New York, NY, USA, ACM (2009) 79-90 

26. Barthe, G., Hatcliff, J., S0rensen, M.H.B.: CPS translations and applications: The 
cube and beyond. Higher Order Symbol. Comput. 12(2) (September 1999) 125-170 

27. Bowman, W., Cong, Y., R.ioux, N., Ahmed, A.: Type-preserving CPS translation 
of a and 7r types is not not possible. In: Proceedings of the 45st ACM SIGPLAN- 
SIGACT Symposium on Principles of Programming Languages. POPL T8, New 
York, NY, USA, ACM (2018) 

28. Jaber, G., Lewertowski, G., Pedrot, P., Sozeau, M., Tabareau, N.: The definitional 
side of the forcing. In: Proceedings of the 31st Annual ACM/IEEE Symposium on 
Logic in Computer Science, LICS T6, New York, NY, USA, July 5-8, 2016. (2016) 
367-376 

29. Kammar, O., Pretnar, M.: No value restriction is needed for algebraic effects and 
handlers. Journal of Functional Programming 27 (2017) 


27 



A Appendix 

A.l Negative Records 

In this section we describe the generic translation of negative records, that is, 
structures defined by their projections and satisfying definitional ? 7 -laws. 

m :=A(P! : [A])... (p„ : [P„]). 

TypeVal (TV pi . . . p n ) 

(Ae : E. ([A ] 0 e,..., [A k ] 0 {f := [A] 0 e} e)) 

[M.fi] := [M\.f i‘ 

[M.fy] := [M]./* 

[(M 1 ,...,M fc ) TC ] := ([Afi],..., [M k ]) K . 

Fig. 9. Record Type Translation 


Definition 12. Let TZ be the record type defined by 

- parameters pi : Pi,... ,p n : P n ; 

- fields fi : Ai,..., f n : A n ; 

- constructor {-) n : II(/i : Ai)... (f n : A n ).TZ pi ... p n . 

We define the exceptional translation oflZ and its constructors in Figure [5| where 
TZ* is the record type defined by 

- parameters pi : [Pi],... ,p n : [P n j; 

- fields ft : [AJ, [A k ]{f:= /*}; 

- constructor {-) n . : II(/i : [Ai]).. . (f k : [A fc ]).P* p\ ... p n 
where in the recursive calls in the various A, we locally set 

in Ml ... M n \ :=n m [Ml] ... [M n ], 

Example 4. We give examples of this translation in Figure [TO] in a COQ-like 
syntax. For completeness, we show that we can also handle co-inductive records. 

Remark that in particular, the default value is defined pointwise, e.g. 

[sig A B] 0 e = ex* [A] [B\ ([A] 0 e) ([B x] 0 {x := [A] 0 e} e) 

which is completely different from the default value one would have obtained in 
the one-constructor inductive type case. 

It is straightforward to check that this translation preserves both typing and 
reduction rules, as well as positivity conditions in the absence of nested record 
types 0 

6 CIC becomes fairly blurry at this point about the specification of positivity for 
records, as the only reference is the Coq implementation. There is no formal proof 
that it is a sound system whatsoever, and in practice a few surprises arose like the 
inconsistency of definitional ?;-laws for co-inductive types. 
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Record sig (A : □) (R : A —>■ □) := ex { 
fst : A; 
snd : B fst; 

} 

Record sig* (A : [□]) (B : [A] -* [□]) := ex* { 
fst* : El A; 
snd* : El (B fst*); 

} 

Colnd stream (A : □) := Stream { 
hd : A; 

tl : stream A; 

} 

Colnd stream* (A : [□]) := Stream* { 
hd* : El A; 
tl* : stream* A; 

} 


Fig. 10. Examples of Record Type Translations 


Theorem 18. If T has negative records, then so has 7e. 

This translation can be extended to the parametric case in a generic way. 
Once again, there is fundamental difference with the inductive case. Instead of 
enforcing parametricity through an index, the parametric exceptional translation 
of records has an additional parameter, and parametricity is ensured pointwise 
for every projection. We define this formally below. 

Definition 13. Let the record type TZ be defined as above. We define the excep¬ 
tional parametricity record translation lZ e as the record 

- parameters [p : P] e , r : 1Z p\ ... p n ; 

- fields fi e : [Ai] e r.fl , ..., f ke : [ A k j £ {f:= r./*} r.fl; 

- constructor {-) Ue : II(/i : [Ti] e r./*)... (f k : [A fc ] e r.f*).IZ E pi ... p n r 

Example 5. We give examples of the parametric translation in Figure El 

The parametricity translation can be shown to preserve typing and reduction. 
Theorem 19. If T has negative records, then so has TJf. 


A.2 Impredicative Universe 

Although we only considered predicative universes up to now, it is actually pos¬ 
sible to interpret an impredicative universe through the exceptional translation. 
Rules for manipulation of an impredicative universe are given in Figure |T2) We 
assume in this section that T features an impredicative universe. 
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Record sig £ A A e B B e (r : sigma* A B) := ex E { 
fst e : A e r.fst*; 
snd e : B e r.fst* fst £ r.snd*; 

} 

Colnd stream^ (A : [□]) (A e : [A] — l □) (r : stream* A) := Stream^ { 
hd £ : A e r.hd*; 
tl e : stream^ A A e r.tl*; 

} 


Fig. 11. Examples of Record Type Translations 


A, B, M, N ::=... | * 

r h A : Di V,x : A\~ B : * h T 

T h Fla; : A. B : * T h * : □, 

Fig. 12. Impredicative universe 


It is not very difficult to adapt the translation to account for such a sort. We 
simply require that T features the following additional structure, which is the 
equivalent of type for an impredicative universe. 

Definition 14 (Exceptional Prop). We assume that T features the data be¬ 
low, where the i index stands for universe polymorphism. 


— prop : □, 

— PropVal : II A : *. (E —> A) —> prop } - 

— PropErr : E — > prop 

— prop_elim J : IIP : prop —> 

(11(^4 : *) ( A 0 : E —> A). P (PropVal A A&)) —> 

(lie : E. P (PropErr e)) —> IIP : prop. P T 

— fl* :£—>■* 

— w* : lie : E. fl* e 

subject to the following definitional equations: 

prop_elim i P p v p 0 (PropVal A A 0 ) = p v A A 0 
prop_elim i P p v p 0 (PropErr e) = p 0 e. 

The prop type is just an inductive type (in □!), but is once again posited 
instead of declared as such for the sake of simplicity. Also, 11* serves the very 
same purpose for * as 11,; does for and can be taken to be degenerate in the 
same way. 

Just as for exceptional types, it is possible to derive the following functions. 
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Definition 15. We derive the following definitions. 


El* : prop — y * 

:= A A : prop. prop_ elim (AT : prop. *) 

(A(*4 0 : *) ( A 0 : E — y *4o). *4o) H* A 
Err* : 11*4 : prop. E —y El* A 

:= A(*4 : prop) (e : E). type_ elim El* 

(A(*4 0 : *) (A 0 : E y *4o). A 0 e) cu* A 

In order to properly extend the translation to interpret CC,*, + *, one would 
technically need to annotate A, II and context variables with the sort they are 
supposed to live in so that the translation operates at the level of pure terms 
instead of derivations. While doable, this would be cumbersome, and as we only 
want to show a proof of concept, we stick to an intuitive but slightly wrong 
presentation here. 

Definition 16 (Exceptional Translation of CC W + *). The translation is 
defined as in Figure^ except that we override the following macros. 

TypeVal prop PropErr 

f PropVal (Ihr : |*4], [B]) (A(e : E) (x : [*4]). [B] 0 e) if B : * 

1 TypeVal (n* : [*4]. [B]) (A(e : E) (* : [*4]). [B] 0 e ) otherwise 
j Err* [*4] if A : * 

1 Err [A] otherwise 
j El* [*4] if A : * 

I El [*4] otherwise 

Note that this translation would not be able to interpret a cumulativity 
relation of the form * C □,, as this would require prop < type^ which is not 
the case if we implement them as distinct inductive types. Here, this does not 
matter as we did not endow CC W with such a cumulativity relation. 

Lemma 12. The following definitional equations hold: 

— M = prop 

— [*] 0 e = PropErr e 

Theorem 20. The exceptional translation is a syntactic model of CC W + *. 

Proof. We only have to specifically check the following properties, the rest is a 
variation over Theorem [T] 

— We have b [*] : [□] by virtue of the typing rules for prop and PropErr. 

— Furthermore, if T, x : A b B : *, we have to show that [T] b [n* : A. B] : [*]. 
This holds by impredicativivity, as [T],x : [*4] b [B] : * by using the 
induction hypothesis on B and the fact that El* : prop — y *. 


[n* : A. B] := 
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One could also hope that the exceptional translation is a model of CIC + * 
too. Although we will not give the full details, we argue here that is almost the 
case... but not quite. The only thing we have to do is to provide a translation 
for inductive types living in * together with their pattern-matching. 

Definition 17. The translations from Definitions^and^can be carried out in 
presence of an impredicative universe in a similar way, by applying the changes 
from Definition \16\ and changing TypeVal into PropVal for inductive types living 
in *. 

For the same reason as their predicative counterpart, this translation pre¬ 
serves typing, but for a critical detail. 

Theorem 21. The exceptional translation is a syntactic model of CIC + * with¬ 
out the singleton elimination rule. 

Proof. It is not hard to adapt the arguments to prove that typing is preserved 
similarly. Failure of preservation of singleton elimination is discussed below. 

Singleton elimination is a key feature of CIC + * that acts as an escape hatch 
to make information flow from * to □. This rule can be formalized as follows: 
pattern-matching over a term in an inductive type in * whose return clause is in 
□ is forbidden, except if the two following conditions are met: 

1. The inductive type being matched over has at most one constructor. 

2. If it has one, all its arguments live in *. 

It is very simple to check why the exceptional translation breaks singleton 
elimination. First, it adds a new default constructor, so that any type with one 
constructor has now two. The only types that may preserve singleton elimination 
have thus no constructors, i.e. they are empty. But the default constructor of 
any inductive type takes as an argument a term of type E, which lives in □. 
Therefore, no translated inductive satisfy the singleton elimination criterion. 

This means that, although the translation can interpret an impredicative 
universe, there is no way to make any information flow from the latter to any 
predicative universe. Somehow, the two worlds are completely disconnected. 
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